ninjamiefandomcom-20200214-history
Network Profiles
Network -> Network Profiles IKE Gateways, IPSec Crypto profiles, '''and IKE crypto profiles''' = support configuration and operation of IPSec VPNs. *IKE Gateways = configuration information that is necessary to perform IKE protocol negotication with peer gateways when setting up IPSec VPN tunnels. *IKE Crypto profiles = specify the protocols and algorithms for Phase 1 identification, authentication, and encryption in VPN tunnels. *IPSec crypto profiles = specify the protocols and algorithms for Phase 2 identificatin, authentication, and encryption in VPN tunnels. Monitor Profiles = Used to monitor IPSec tunnels and to monitor a next-hop device for policy based forwarding (PBF) rules. *Used to specify an action to take when a resource (IPSec tunnel or Next-hop device) becomes unavilable. Interface Management Profile = Specify the protocols that can be used to manage the firewall for Layer 3 interfaces, including VLAN and loopback interfaces. Zone Protection Profile = Profiles determine how the firewall responds to attacks from individual security zones. *Flood Protection = protects against SYN, ICMP, UDP and other IP-based flooding attacks. *Reconnaissance Detection = Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential attack targets. *Packet-based attack Protection = Protects against large ICMP packets and ICMP fragment attacks as well as a number of IP and TCP level attacks. **Per-zone non-syn-tcp behavior can also be specified. *QoS Profiles = These profiles determine how the QoS traffic classes are treated. **You can set overall limits on bandwidth regardless of class and also set limits for individual classes. you can also assign priorities to different classes. Priorities determine how traffic is treated in the presence of contention. 'Monitor Profiles' The Default Monitor Profile: ACTION = Specifies the action to take if the tunnel is not available. If the threshold number of the heartbeats is lost, the firewall takes the specified action. *Wait-recover = Wait for the tunnel to recover; do not take additional action. Packets will continue to be sent according to the PBF rule. *Fail-over = traffic will fail over to a backup path, if one is available. **The firewall uses routing table lookup to determine routing for the duration of this session. INTERVAL = the time between heartbeats (default 3, range 2-10) THRESHOLD = The number of heartbeats to be lost before the firewall takes the specified action (default 5, range 2-100) 'Applying a Monitor Profile to an IPSec Tunnel:' Network -> IPSec Tunnel -> General Tab -> Show Advanced Options -> Tunnel Monitor -> Profile dropdown *The firewall monitors the specified IP address through the tunnel to determine if the tunnel is working properly according to the defined Monitored Profile. **IF the tunnel monitor IP is not reachable, the action will be taken based on the settings you choose that are defined in the Monitor Settings (wait-recover OR failover) 'Interface Management Profiles' *HTTPS = If you enable HTTPS access on an in-band port and GlobalProtect is enabled on the same port, the port used for HTTPS access is automatically set to 4443 instead of 443. *Response Pages = controls whether the ports used to serve captive portal and URL filtering response pages are open on Layer 3 interfaces. Ports 6080 and 6081 are left open if this is enabled. *User-ID Service = This option is needed to allow communication between firewalls when a firewall is acting as a redistribution point to provide user mapping information to other PAN-OS firewalls. 'Zone Protection Profiles' Zone protection profiles protects against most common floods, reconnaissance attacks and other packet-based attacks. Applies to the ingress zone (the zone where traffic enters the firewall). Zone protection settings apply to all interfaces within the zone for which the profile is configured. Zone protection is only enforced when there is no session match for the packet. If the packet matches an existing session, it will bypass the zone protection setting. Zone protection Logs are under Threat Logs. *For flood attacks (SYN, UDP, ICMP) the Threat Log will show''' 0.0.0.0''' for attacker and victim as there is typically more than one IP address that is the source and destination of the attack. *The source and destination zones in the Threat Log will always be the same, the Source Zone of the attack. 'FLOOD PROTECTION' Flood protection in the zone protection profile has configuration options again SYN, UDP, ICMP, ICMPv6 and other IP floods. *Value is in the Alert, Activate, and'' Maximum'' fields are the packets per second from one or many hosts to one of many destinations.. *Packets from any host entering the firewall from the zone that has zone protection profile enabled are sampled at an interval of one second. This is to determine if the rate matches the threshold values. Once the thresholds are reached, an appropriate action is taken depending on the type of theshold. **EX: an alert log is generated, a flood protection mechanism is activated or the incoming packets are dropped. 'SYN FLOOD:' Flooding a host or a network with incomplete TCP connections, the attacker can eventually fill up the memory buffers or spike the CPU utilization of the victim device. Once the buffers are full or the CPU is overwhelmed, the host cannot process new TCP connection requests. The attacks disables normal operations. RECOMMENDED TO USE SYN COOKIE FOR TCP SYN FLOODS. '''- action: RED' (Random Early Drop/Random Early Detection) = it's an Active Queue Management algorithm that's a common method used to protect against SYN flood attacks. *(M-A)*sum (1/N, N in M-A)-(X-A) **A = active threshold **M = Maximum **If X is less than A, the probability of a packet being dropped is 0 and if X is M the probability is 1 (100%). *The effectiveness of RED depends on the proper calculation of the Activate and Maximum thresholds. **If thresholds are too low = the algorthim can penalize legitimate traffic **If thresholds are too high = it may not detect Low-Rate DoS (LDoS) attacks. '- action: SYN COOKIES: SYN Cookie is a recommended method as opposed to RED for its advantages of fairness for legitimite traffic and less CPU overhead. Intention behind SYN Cookies is not to use any local resources to remember SYN packet entering the firewall, because it might be a malicious one. When a SYN segment is received SYN cookie does not set up a session or do policy or route lookups. It also does not maintain a connection request queue. This enables the firewall to maintain optimal CPU loads and prevent exhaustion of packet buffers. With SYN Cookie, the firewalls acts as a man-in-the-middle for the TCP handshake. If SYN Cookie is activated and the connection is found to be legitimate, the firewall does the sequence number translation for established connections. *'''Alert = Number of SYN packets per second entering the ingress zone after which alarms are generated. **alarms are viewed under (Threat logs, or dashboard) **SNMP traps and syslog messages can also be sent. *'Activate' = Number of SYN packets per second entering the ingress zone after which RED or SYN cookie is triggered. *'Maximum' = Number of SYN packets per second entering the ingress zone after which any new SYN packet to any host in the zone is dropped. All other non-TCP traffic to the zone will pass normally 'ICMP FLOODS:' *'Alert' = Number of ICMP packets per second entering the ingress zone after which alarms are generated. **alarms are viewed under (Threat logs, or dashboard) **SNMP traps and syslog messages can also be sent. *'Activate' = Number of ICMP packets per second entering the ingress zone after which RED is triggered. *'Maximum' = Number of ICMP packets per second entering the ingress zone after which any new ICMP packet to any host in the zone is dropped. All other non-ICMP traffic to the zone will pass normally 'UDP FLOODS:' *'Alert' = Number of UDP packets per second entering the ingress zone after which alarms are generated. **alarms are viewed under (Threat logs, or dashboard) **SNMP traps and syslog messages can also be sent. *'Activate' = Number of UDP packets per second entering the ingress zone after which RED is triggered. *'Maximum' = Number of UDP packets per second entering the ingress zone after which any new UDP packet to any host in the zone is dropped. All other non-UDP traffic to the zone will pass normally 'RECONNAISSANCE' Reconnaissance is an unauthorized user's attempt to discover and map network system devices, services available on those systems, and the vulnerabilties of those systems. It's information gathering and usually leads to actually access or DoS attacks. Ex: Port scans and ICMP sweeps. '- Host Sweeps' (ICMP/PING) the target network first to determine what IP addresses are active and responsive, attempts to find what services or ports are active on the live IP addresses. It uses ICMP echo and echo reply to map a known network. *'Interval (sec)' = time interval for port scans and host sweep detection. (default of 2 seconds) *'Threshold (events)' = Number of scanned ports within the specified time interval that will trigger this protection type (events) *'Action' = repsonse to this event type: **''Allow = permits the port scan/host sweet reconnaissance **''Alert = Generates an alert for each scan or sweep that matches the threshold within the specified time interval. **''Block'' = Drops all further packets from the source and destination for the remainder of the specified time interval. **''Block IP'' = Drops all further packets for a specified time period. Choose whether to block source, destination or source-and-destination traffic and enter a duration (seconds). 'PACKET BASED ATTACK PROTECTION:' 'TCP/IP DROP (sub tab)' *'Spoofed IP addresses' = Enables protection against IP address spoofing. *'Fragmented traffic '= Discards fragmented IP packets. *'Mismatched overlapping TCP segment' = This protection mechanism uses sequence numbers to determine where packets reside within the TCP data stream. The firewall will report an overlap mismatch and drop the packet when segment data does not match in the following senarios: **The segment is within another segment **The segment overlaps with part of another segment **The segment cover another segment *'Reject Non-SYN TCP' = Whether to reject the packet if the first packet for the TCP session setup is not a SYN packet: *https://live.paloaltonetworks.com/docs/DOC-3196 **''Global'' = uses system-wide setting that is assigned through the CLI **''Yes'' = Reject non-SYN TCP **''No'' = Accept non-SYN TCP. Not allowing non-SYN TCP traffic may prevent file blocking policies from working as expected in cases where the client and/or server connection is not set after the block occurs. *'Asymmetic Path' = Whether to drop or bypass packets that contain out of sync ACKs or out of window sequence numbers: **''Global'' = Uuses system-wide setting that is assigned through the CLI **''Drop'' = drop packets that contain an asymmetric path **''Bypass'' = Bypass scanning on packets that contain an asymmetic path. *'Unknown' = Discards packets if the class and number are unknown. *'Malformed' = Discard packets if they have incorrect combinations of class, number, and length absed on RFC 791, 1108, 1393, and 2113. 'ICMP DROP (sub tab)' *'ICMP Ping ID 0' = Discards packets if the ICMP ping packet has an identifer value of 0 *'ICMP Fragment' = Discards packets that consist of ICMP fragments *'ICMP large packet' = Discards packets that are larger than 1024 bytes *'Suppress ICMP TTL' = Stop sending ICMP TTL expired messages *'Suppress ICMP frag needed' = Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting interfere with the PMTUD process performed by hosts behind the firewall. 'IPv6 DROP (sub tab)' CLI COMMANDS: *> ''show zone-protection zone '' Global counters with aspect "dos" will show if any counters are triggered by DoS traffic Tech Documents Understanding DoS protection: *https://live.paloaltonetworks.com/docs/DOC-5078